[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1195660319.759.50.camel@moss-spartans.epoch.ncsc.mil>
Date: Wed, 21 Nov 2007 10:51:59 -0500
From: Stephen Smalley <sds@...ho.nsa.gov>
To: "Serge E. Hallyn" <serue@...ibm.com>
Cc: linux-kernel@...r.kernel.org, casey@...aufler-ca.com,
chrisw@...s-sol.org, darwish.07@...il.com, jmorris@...ei.org,
method@...icmethod.com, morgan@...nel.org, paul.moore@...com
Subject: Re: +
smack-version-11c-simplified-mandatory-access-control-kernel.patch added to
-mm tree
On Wed, 2007-11-21 at 09:48 -0600, Serge E. Hallyn wrote:
> Quoting akpm@...ux-foundation.org (akpm@...ux-foundation.org):
> > +/*
> > + * There are not enough CAP bits available to make this
> > + * real, so Casey borrowed the capability that looks to
> > + * him like it has the best balance of similarity amd
> > + * low use.
> > + */
> > +#define CAP_MAC_OVERRIDE CAP_LINUX_IMMUTABLE
>
> Hey Casey,
>
> note that 64-bit capabilities are now in -mm, so you could grab your own
> capability.
Which brings up an interesting question - what to do with
security-module-specific capabilities? CAP_MAC_OVERRIDE is specific to
Smack - other MAC modules like SELinux won't honor it. Maybe it should
be CAP_SMACK_OVERRIDE.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists